Fw: OSX Installation Using Mysql
Hello I have been able to compile freeradius on mac os X 10.2.8 (jaguar) The freeradius is ok I can authentify, everything look great I have also install mysql and import all needed database for dialup_admin. But I can't activate the rlm_sql_mysql driver. The error message that i get while launching the check-config script or radiusd with option -X is : rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. radiusd.conf[14]: sql: Module instantiation failed. I have tryed many things to solve it without success I have tryed to compile mysql from the source instead of using apple package I have try several different path for the configure option ./configure --with-mysql-dir=/usr/local/bin --with-mysql-lib-dir=/usr/local/ lib/mysql --with-mysql-include-dir=/usr/local/include/mysql --disable-shared ./configure --with-mysql-dir=/Library/MySQL/bin --with-mysql-lib-dir=/Librar y/MySQL/lib/mysql --with-mysql-include-dir=/Library/MySQL/include/mysql --di sable-shared and many others ... I have also tryed to link the lib manually with common OSX tool (dyld, ld, libtool, ar, ...) So my questions are the following : Did someone has been able to use the mysql modules with free radius on OSX? What should be the way to link properly/correctly the rlm_sql_mysql lib ? How can i check that my MySQL is link as static ? Thanks you in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OSX Installation Using Mysql
Hello I have been able to compile freeradius on mac os X 10.2.8 (jaguar) The freeradius is ok I can authentify, everything look great I have also install mysql and import all needed database for dialup_admin. But I can't activate the rlm_sql_mysql driver. The error message that i get while launching the check-config script or radiusd with option -X is : rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. radiusd.conf[14]: sql: Module instantiation failed. I have tryed many things to solve it without success I have tryed to compile mysql from the source instead of using apple package I have try several different path for the configure option ./configure --with-mysql-dir=/usr/local/bin --with-mysql-lib-dir=/usr/local/ lib/mysql --with-mysql-include-dir=/usr/local/include/mysql --disable-shared ./configure --with-mysql-dir=/Library/MySQL/bin --with-mysql-lib-dir=/Librar y/MySQL/lib/mysql --with-mysql-include-dir=/Library/MySQL/include/mysql --di sable-shared and many others ... I have also tryed to link the lib manually with common OSX tool (dyld, ld, libtool, ar, ...) So my questions are the following : Did someone has been able to use the mysql modules with free radius on OSX? What should be the way to link properly/correctly the rlm_sql_mysql lib ? How can i check that my MySQL is link as static ? Thanks you in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless Best Practices
hi > > I want to know if Mac filtering will be too much of a headache vs. > > having the AP proxy the authentication/association to a radius server? > > MAC authentication can be spoofed. EAP can't be. i completely agree. > > If I use Radius, can I make it so only the employee needs to > > authenticate? > > No, but I'm not sure you want to allow un-authenticated users onto > your network. it depends on your APs, but you can. usually, if your AP supports multiple SSIDs, you can define security setting on the SSID basis. this would include 802.1X, RADIUS, etc. i.e. you can have an "open" SSID _and_ a closed SSID requesting authentication. now of course, it doesn't make any sense, if both lead to the same network. hence, the SSIDs have to be mapped to VLANs, which is a current practice. > > If I use 802.1x, I am thinking the Radius server back at the corporate > > location will be on their DMZ. Is the shared Secret in clear text > > between the AP/Router to the Radius server? > > The shared secret is never sent in any packet. alan is of course right, but if you have a more general doubt about the RADIUS internal security (like user privacy, etc.), you will have to add a local RADIUS server and to proxy the requests to your corporate RADIUS server. then, the both RADIUS servers could use e.g. IPSec and thus your RADIUS traffic leaving your local networks would be well protected. (the direct way, an AP which does IPSec, doesn't exist on the market on the moment) > > Is PEAP, the most logical choice here? Why wouldn't I use it? > > If PEAP works, you can use it. If you're running Linux clients, I'd > recommend EAP-TTLS. :-) i don't even know why ms has started developping PEAP when the TTLS draft was already available since a year... ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP subtype as authorization
hi > > so what value would i set the EAP-Type attribute to? > > See the dictionary file for the values for the EAP-Type attribute no, i think we didn't understand each other. you are talking about Auth-Type := EAP which is set automatically by the EAP module in the authorize section. that's evident. what i want, is quite different _and_ quite necessary, given the potential generality of the EAP authentication methods. in the same manner like you can demand CHAP, PAP, MS-CHAP or whatever EAP on a per-user basis, i.e. reject EVERY request for this user NOT having the pre-defined (part of authorization) authentication type, you should be capable of defining which EAP subtype the user is trying to use. EAP can be potentially as simple as CHAP or based on certificates, kerberos or GSM-SIM cards. so, it's crucial to be able to control that. you don't want your users to freely choose the possibly weakest authentication method. you probably want to enforce ONE and only method per user. a propos, that was strongly recommended for all RADIUS servers. now if you enforce Auth-Type := EAP, you effectively do not enforce _anything_, since it can be almost everything. we should probably add a kind of Auth-Type := EAP/MD5 possibility and then, in the code fragment you posted, we should check if the provided EAP type matches the preconfigured one. if yes, the authentication can take place. if not, the reject should be sent. for example... i thought even, that it would be possible by defining instances of the eap module with different default_types. but then, the eap module should set the Auth-Type to the subtype and only if the provided EAP-Message includes this one, and the code you mentioned should check as described above... imho... perhaps alan could say something on this matter, i'm far from being freeradius configuration possibilities expert :-) > > i don't want the user X just to grab the EAP-method Y and freeradius to > > use it if it finds it in user's request. i want freeradius to impose _a_ > > certain EAP subtype (and to deny user if it's not the configured one). > > >From a quick look at the rlm_eap sources i don't think that it is possible. that's exactly the problem. it's not. ciao & thanks artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No certificate matches private key - openssl problem
Hello, I a newbe to FreeRadius, but I guess my problem concerns openssl. using http://www.impossiblereflex.com/8021z/eap-tls-HOWTO.htm I create files CA.root, CA.srv and CA.clt to generate certificates. Everything's fine for the first two files, but when I execute ./CA.clt clientCA I get the error message: Check that the request matches the signature Signature ok ERROR: adding extensions in section xpclient_ext No certificate matches private key 2359:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140: unable to load certificate 2360:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE I use standard configuration with openssl-0.9.7b. I guess it might be a problem with the name of client, but I am not sure. Is anyone able to solve this problem??? Lots of thanks, Jerzy Witaszczyk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PPP
Hi, I have FreeRADIUS set up in a pretty basic manner. It passes authentication requests through to an LDAP server. I need for FreeRADIUS to return the attribute "Framed-Protocol = PPP" along with saying if the authentication is successful. I am unable to add anything to the user's schema. How would I go about doing this? Thanks! Regards, Tom __ This email transmission and any documents, files or previous email messages attached to it may contain information that is confidential or legally privileged. If you are not the intended recipient or a person responsible for delivering this transmission to the intended recipient, you are hereby notified that you must not read this transmission and that any disclosure, copying, printing, distribution or use of this transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender by telephone or return email and delete the original transmission and its attachments without reading or saving in any manner. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: What is the best "Flavor" of Linux to use with FreeRadius?
At 02:44 PM 11/6/2003, Paul Hampson wrote: > From: Chris Parker > Sent: Friday, 7 November 2003 3:09 AM > At 10:02 AM 11/6/2003, Kristina Pfaff-Harris wrote: > >You might also consider trying OpenBSD or FreeBSD instead of a Linux > >distribution. > > There are some thread issues on Free/Open BSD at the moment I believe > so you might not get the best performance out of FreeRADIUS on those > systems. > > The latest FreeBSD release adds some previously missing functions to > FreeBSD ( namely a working threadsafe get(host|name)by*_r() ). The > work to add that to the configure/build process has not been done > yet however. Do we have any details on that? I'd love to get at least _some_ version of FreeBSD working thread-safely... http://lists.freebsd.org/pipermail/freebsd-hackers/2003-July/001859.html This was forwarded by a friend who is a FreeBSD advocate when I complained about the lack of thread-safeness ( and cross-platformness ) of the resolver libs on FreeBSD. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless Best Practices
"Jerry Roy" <[EMAIL PROTECTED]> wrote: > I want to know if Mac filtering will be too much of a headache vs. > having the AP proxy the authentication/association to a radius server? MAC authentication can be spoofed. EAP can't be. > If I use Radius, can I make it so only the employee needs to > authenticate? No, but I'm not sure you want to allow un-authenticated users onto your network. > If I use 802.1x, I am thinking the Radius server back at the corporate > location will be on their DMZ. Is the shared Secret in clear text > between the AP/Router to the Radius server? The shared secret is never sent in any packet. > Is PEAP, the most logical choice here? Why wouldn't I use it? If PEAP works, you can use it. If you're running Linux clients, I'd recommend EAP-TTLS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What is the best "Flavor" of Linux to use with FreeRadius?
While I question the validity of discussing OS's on a Radius mailing list (for fear of the all-too-popular flame wars) I would suggest the following: Let me start by saying I've installed FreeRadius in tons of configurations, and on a lot of different OS's. it compiles on most. (never could get it going on AIX, but only tried for a few hours) Now the real meat: I started with slackware way back in the day, then tried FreeBSD and fell in love. I've tried just about every major (and some minor) linux distros, and they never fit my *personal* flavor or taste the way FreeBSD does. This is not to recommend FreeBSD or any other distro.. this is simply to provide an example of how each OS varies. Your best bet is going to be.. install whatever you can get the most helpful support for. Typically, this would be whatever OS most of your friends use. After you become comfortable with the admin side of the OS, the learning curve for the next UNIX-like OS is very minor. The major difference between the different UNIX-like OS's is package management. then you have several smaller things command wise. One OS might have the "adduser" command. Others might have "useradd" these are rather insignificant differences. After you've got the basics down, try a few others, play and experiment. You'll find the one that suits your tastes and feel. My whole point is, don't limit yourself to one OS. Do like you did when you were dating and "play the field", no need to get married right away or to the first OS that treats you right :-) Everyone will tell you $OS is the best, when reality is: the Best OS is the one you are most comfortable with. On a side note (but related) As far as security, you may hear the hype about some OS being more secure than another. This is 100% bogus. No *competant* admin leaves a server 100% default. The security of the OS is directly related to the admins experience and knowledge. If you have "the most secure OS" and install an old exploitable piece of software, your OS isn't going to save you :-) I hope this email helps in at least some small way. If nothing more than "think for yourself" Sadly, I'm at work and was interrupted about a dozen times writing this, so I hope it makes sense. Jeff Palmer DrkShdw @ Freenode IRC network - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wireless Best Practices
Hi Listonians, I am in the process of deploying a large number of Wireless Routers for a large customers teleworkers (AP/Routers will be at their homes). I am requesting input on best practices and easiest/most secure deployment. Laptops will be used at the office and also at their homes. Here is what I have so far: 1) Wireless Router with multiple ssid capability. One ssid for the roaming employee to authenticate/associate and a 2nd ssid for rest of family (default ssid?). 2) I Will not be broadcasting ssid's I want to know if Mac filtering will be too much of a headache vs. having the AP proxy the authentication/association to a radius server? If I use Radius, can I make it so only the employee needs to authenticate? I was considering 802.1x (WPA). How do I secure the connection across the Internet from the AP/Router to the Radius server? If I use 802.1x, I am thinking the Radius server back at the corporate location will be on their DMZ. Is the shared Secret in clear text between the AP/Router to the Radius server? What disadvantages/security risks would this design bring? Is PEAP, the most logical choice here? Why wouldn't I use it? Thanks, Jerry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: What is the best "Flavor" of Linux to use with FreeRadius?
> From: Chris Parker > Sent: Friday, 7 November 2003 3:09 AM > At 10:02 AM 11/6/2003, Kristina Pfaff-Harris wrote: > >You might also consider trying OpenBSD or FreeBSD instead of a Linux > >distribution. > > There are some thread issues on Free/Open BSD at the moment I believe > so you might not get the best performance out of FreeRADIUS on those > systems. > > The latest FreeBSD release adds some previously missing functions to > FreeBSD ( namely a working threadsafe get(host|name)by*_r() ). The > work to add that to the configure/build process has not been done > yet however. Do we have any details on that? I'd love to get at least _some_ version of FreeBSD working thread-safely... -- Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] On a sidewalk near Portland State University someone wrote `Trust Jesus', and someone else wrote `But Cut the Cards'. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 0.9.2-1 (Proposed) Debian package uploaded
> From: Artur Hecker > Sent: Friday, 7 November 2003 12:08 AM > i'm sorry to take your time (since it's not really freeradius related). > while i believe to understand the minor differences between the > GPL/OpenSSL licenses, i do not understand why and how e.g. the IETF > standard tracks (like e.g. 2243 or 2289) do not comply to the DFSG? i do > understand the difference to the informational IETF documents as e.g. > rfc2869 which preserve the explicit rights of the author, but why the > standard tracks? why wouldn't it apply to TLS e.g.? would you kindly > explain this? As far as I understand it, the boilerplate copyright notice and license at the end of all RFCs since somewhere in the 2200's is not DFSG-free. Quick simply, it fails rule #3, (http://www.debian.org/social_contract#guidelines) The license must allow modifications and derived works, and must allow them to be distributed under the same terms as the license of the original software. with the following part of the boilerplate: However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. Or at least, that's how I read it. It was discussed on the Debian developers mailing list a while ago, and the result was that this boilerpate is not DFSG-free, but the copyright on previous RFCs (which is in a different file, I really should include that in the Debian copyright file) _is_ DFSG-free. If you like, I can dig up the discussion in the archives, or you can look yourself at lists.debian.org under debian-devel... Honestly can't say when it was though, sometime this year. Prolly mid-year, but I'm not sure. > thanks for your time > artur No worries. :-) -- Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] On a sidewalk near Portland State University someone wrote `Trust Jesus', and someone else wrote `But Cut the Cards'. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using EAP with rlm_sql
Dave Mason <[EMAIL PROTECTED]> wrote: > For an EAP authentication, the authorize block modcall calls > eap_authorize, which returns "updated." However, rlm_sql runs and > searches the database for the EAP user, which isnt there. Everything > works, but the database hit is unnecessary. Is there something I can do > to prevent that? The database hit is usually necessary, in order to discover what username/password to use. The control flow goes like: rlm_eap discovers EAP in the request, marks it as "Auth-Type EAP" rlm_sql discovers user "bob" has password "bob", and adds the password to the config items for the request rlm_eap authenticates user "bob", using password "bob", to do EAP-MD5, etc. If you don't need the database hit, see 'doc/configurable_failover'. Have the SQL module run only if EAP returns "noop" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
Sanjiv Thakor <[EMAIL PROTECTED]> wrote: > My Question is: Is there documentation available describing the options > available to start the radius daemon. I have tried to do an extensive > search but unfruitful. Can someone please giude me? The 'man' page which ships with the server? Or 'radiusd -h' ? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Hi I am new to the freeRadius Users List. I had used Radius (Livingston) about 4 years ago and I am having to use it again all over. My Question is: Is there documentation available describing the options available to start the radius daemon. I have tried to do an extensive search but unfruitful. Can someone please giude me? Thanks, Sanjiv <>
Re: What is the best "Flavor" of Linux to use with FreeRadius?
I think this is going to be a "Religious" matter. Many people likes Slackware Many People likes Debian Many People likes Suse Many people likes redhat Others Trustix or Mandrake. If you are new to linux I think this is not the place to discuss which one is better. Without being mad, this is a freeradius list :), lets try to keep the hard fights over Linux distros outside here :) On Thu, 2003-11-06 at 11:08, Chris Parker wrote: > At 10:02 AM 11/6/2003, Kristina Pfaff-Harris wrote: > >On Thu, 6 Nov 2003, Michael Melanson wrote: > > > > > I am new to linux as well as free radius. > > > > > > I am involved in a project to create an open network architechure. > > > > > > I envision radius and eap to accomplish this > > > > > > Please advise what is the best Linux to use with free radius > > > >Hi. I really agree with Thor Spruyt who said that you should install some > >distributions and see which one you feel most comfortable with. RedHat is > >going to more of a high-priced subscription version, so you may want to > >try out its free version, "Fedora" (http://fedora.redhat.com/) if your > >budget is a concern. Novell just bought SuSE Linux, so I'm not sure how > >that's going to pan out, support and price-wise. My favorite is Debian for > >various reasons including ease of install/upgrade and stability, but > >really, try out several, read the documentation, and see which one you > >like best. > > My 2 cents worth, is take a look at Slackware. :) > > >You might also consider trying OpenBSD or FreeBSD instead of a Linux > >distribution. > > There are some thread issues on Free/Open BSD at the moment I believe > so you might not get the best performance out of FreeRADIUS on those > systems. > > The latest FreeBSD release adds some previously missing functions to > FreeBSD ( namely a working threadsafe get(host|name)by*_r() ). The > work to add that to the configure/build process has not been done > yet however. > > -Chris > -- > \\\|||/// \ StarNet Inc. \ Chris Parker > \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering > | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 > oOo---(_)---oOo--\-- >\ Wholesale Internet Services - http://www.megapop.net > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What is the best "Flavor" of Linux to use with FreeRadius?
At 10:02 AM 11/6/2003, Kristina Pfaff-Harris wrote: On Thu, 6 Nov 2003, Michael Melanson wrote: > I am new to linux as well as free radius. > > I am involved in a project to create an open network architechure. > > I envision radius and eap to accomplish this > > Please advise what is the best Linux to use with free radius Hi. I really agree with Thor Spruyt who said that you should install some distributions and see which one you feel most comfortable with. RedHat is going to more of a high-priced subscription version, so you may want to try out its free version, "Fedora" (http://fedora.redhat.com/) if your budget is a concern. Novell just bought SuSE Linux, so I'm not sure how that's going to pan out, support and price-wise. My favorite is Debian for various reasons including ease of install/upgrade and stability, but really, try out several, read the documentation, and see which one you like best. My 2 cents worth, is take a look at Slackware. :) You might also consider trying OpenBSD or FreeBSD instead of a Linux distribution. There are some thread issues on Free/Open BSD at the moment I believe so you might not get the best performance out of FreeRADIUS on those systems. The latest FreeBSD release adds some previously missing functions to FreeBSD ( namely a working threadsafe get(host|name)by*_r() ). The work to add that to the configure/build process has not been done yet however. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What is the best "Flavor" of Linux to use with FreeRadius?
On Thu, 6 Nov 2003, Michael Melanson wrote: > I am new to linux as well as free radius. > > I am involved in a project to create an open network architechure. > > I envision radius and eap to accomplish this > > Please advise what is the best Linux to use with free radius Hi. I really agree with Thor Spruyt who said that you should install some distributions and see which one you feel most comfortable with. RedHat is going to more of a high-priced subscription version, so you may want to try out its free version, "Fedora" (http://fedora.redhat.com/) if your budget is a concern. Novell just bought SuSE Linux, so I'm not sure how that's going to pan out, support and price-wise. My favorite is Debian for various reasons including ease of install/upgrade and stability, but really, try out several, read the documentation, and see which one you like best. You might also consider trying OpenBSD or FreeBSD instead of a Linux distribution. The only thing I would suggest is that you'll want to keep an eye out for what your needs are. If you're only going to be running FreeRadius on the server, it really doesn't matter much what distribution you use, as you can strip it down to the bare minimum. If you're also going to be running Apache, Sendmail/qmail/postfix, or other services, then you'll want to find out as much as you can about how the distribution puts out bug fixes and how well they keep up with security. Kristina - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: parse error in build 061103
"Mark Townley" <[EMAIL PROTECTED]> wrote: > I get the following output when trying to compile today's build (on > solaris). > > I was wondering if it is similar to the problem with yesterdays build > that > Alan said would be fixed? That problem is fixed. I'll fix this other one later today. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What is the best "Flavor" of Linux to use with FreeRadius?
Linux is not distribution but the kernel itself. There is no answer to that question. I run it on RedHat myself. The reason for that is simple, RedHat is commercially suported and that's what big companies need. Commercial support is importand for them in case something happens to me. My favourite when it comes to linux is gentoo but I also used debian for a while. Personlally I use FreeBSD for any of my servers that I do not run for external customers. My advice is: If you have a fresh start and want to make things fast, use debian for simplicity. If you want to run the newest freeradius compiled from sources then use whatever you already know the best. If you want the best there is for servers, run BSD. Cheers, YazzY On Thu, 06 Nov 2003 10:06:04 -0500 "Michael Melanson" <[EMAIL PROTECTED]> wrote: > HI folks > > I am new to linux as well as free radius. > > I am involved in a project to create an open network architechure. > > I envision radius and eap to accomplish this > > Please advise what is the best Linux to use with free radius > > Thanks > - > This message is intended only for certain recipients and may be > privileged or confidential. If you have received it in error, please > notify sender and delete it without making or retaining a copy. > - > *P*H*L* > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- "I've heard if you play the Windows-CD backwards, you get a satanic message." "That's nothing, if you play it forward, it installs Windows." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What is the best "Flavor" of Linux to use with FreeRadius?
- Original Message - From: "Michael Melanson" <[EMAIL PROTECTED]> > HI folks > > I am new to linux as well as free radius. > > I am involved in a project to create an open network architechure. Meaning? > I envision radius and eap to accomplish this > > Please advise what is the best Linux to use with free radius Is freeradius the only thing you're going to run? I would choose RedHat, but please install some distributions to get a feeling of which one you like most. Technically, there shouldn't be a 'best linux for freeradius'. > Thanks Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What is the best "Flavor" of Linux to use with FreeRadius?
HI folks I am new to linux as well as free radius. I am involved in a project to create an open network architechure. I envision radius and eap to accomplish this Please advise what is the best Linux to use with free radius Thanks - This message is intended only for certain recipients and may be privileged or confidential. If you have received it in error, please notify sender and delete it without making or retaining a copy. - *P*H*L* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP subtype as authorization
On Thu, 6 Nov 2003, Artur Hecker wrote: > hi kostas > > > > So you only need to set the EAP-Type attribute in the authorize section on a per > > user basis and i think it should work. > > so what value would i set the EAP-Type attribute to? See the dictionary file for the values for the EAP-Type attribute > > i don't want the user X just to grab the EAP-method Y and freeradius to > use it if it finds it in user's request. i want freeradius to impose _a_ > certain EAP subtype (and to deny user if it's not the configured one). >From a quick look at the rlm_eap sources i don't think that it is possible. rlm_eap will currently honor an EAP-NAK request from the client and change the EAP-Type to whatever the client requested (if that eap type is supported by rlm_eap). Though it should not be that difficult to add something like a configuration directive (or a radius attribute) enforce_eap_type = yes|no It would actually probably be the patch included (not tested though sorry). > > do i miss something? > > > ciao > artur > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting updates
Hi, the default accounting_update_query in sql.conf makes no update for input and output octets and session-time. Is this correct, or shoud the query look like the following: accounting_update_query = "UPDATE ${acct_table1} SET FramedIPAddress = '%{Framed-IP-Address}', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStopTime IS NULL" Thanks for any clarification Didi -- - Didi Rieder [EMAIL PROTECTED] PGPKey ID: 3431D0B0 - pgp0.pgp Description: PGP Digital Signature
Re: EAP subtype as authorization
hi kostas So you only need to set the EAP-Type attribute in the authorize section on a per user basis and i think it should work. so what value would i set the EAP-Type attribute to? i don't want the user X just to grab the EAP-method Y and freeradius to use it if it finds it in user's request. i want freeradius to impose _a_ certain EAP subtype (and to deny user if it's not the configured one). do i miss something? ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP subtype as authorization
On Thu, 6 Nov 2003, Artur Hecker wrote: > hi people > > > do i ignore something or am i right in the assumption that it is > currently not possible to define different EAP authentication methods on > a per-user basis with the provided onboard configuration? > > (would be a nice feature to have john use PEAP during jack has to go for > pure TLS, for instance...) > > or can it somehow be done by defining "instances" of the EAP module with > different eap default types? (i obviously haven't tried it yet) Hmm, that's already supported :-) Look at src/modules/rlm_eap/eap.c line 196: case PW_EAP_IDENTITY: { VALUE_PAIR *vp; DEBUG2(" rlm_eap: EAP Identity"); /* * Allow per-user configuration of EAP types. */ vp = pairfind(handler->request->config_items, PW_EAP_TYPE); if (vp) default_eap_type = vp->lvalue; So you only need to set the EAP-Type attribute in the authorize section on a per user basis and i think it should work. > > > ciao > artur > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 0.9.2-1 (Proposed) Debian package uploaded
hi paul i'm sorry to take your time (since it's not really freeradius related). while i believe to understand the minor differences between the GPL/OpenSSL licenses, i do not understand why and how e.g. the IETF standard tracks (like e.g. 2243 or 2289) do not comply to the DFSG? i do understand the difference to the informational IETF documents as e.g. rfc2869 which preserve the explicit rights of the author, but why the standard tracks? why wouldn't it apply to TLS e.g.? would you kindly explain this? thanks for your time artur * Deleted RFCs: 2243 2289 2433 2548 2618 2616 2620 2621 2719 2759 2809 2865 2866 2867 2868 2869 2882 2924 3162 from source tarball due to non-DFSG-free copyright. * Disabled PostgreSQL, x.99 token, EAP/TLS, Kerberos, LDAP and SNMP agent support due to OpenSSL/GPL conflict. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP subtype as authorization
hi people do i ignore something or am i right in the assumption that it is currently not possible to define different EAP authentication methods on a per-user basis with the provided onboard configuration? (would be a nice feature to have john use PEAP during jack has to go for pure TLS, for instance...) or can it somehow be done by defining "instances" of the EAP module with different eap default types? (i obviously haven't tried it yet) ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS 0.9.2-1 (Proposed) Debian package uploaded
My proposed FreeRADIUS 0.9.2-1 debian package has been uploaded to http://www.tbble.com/freeradius/ Here's the changelog VS release_0_9_2 in CVS: * Deleted RFCs: 2243 2289 2433 2548 2618 2616 2620 2621 2719 2759 2809 2865 2866 2867 2868 2869 2882 2924 3162 from source tarball due to non-DFSG-free copyright. * Disabled PostgreSQL, x.99 token, EAP/TLS, Kerberos, LDAP and SNMP agent support due to OpenSSL/GPL conflict. (Sorry it's been so delayed, I have uni exams just now. :-( I will once again attempt to address the OpenSSL/GPL licensing issue when I have the time, hopefully within a fortnight or so, not to mention -- Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] On a sidewalk near Portland State University someone wrote `Trust Jesus', and someone else wrote `But Cut the Cards'. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: parse error in build 061103
Hi, On Thu, 6 Nov 2003, Mark Townley wrote: > I get the following output when trying to compile todays build (on > solaris). > > I was wondering if it is similar to the problem with yesterdays build that > Alan said would be fixed? > That's right! Guess you have the wrong sha1.h file, so delete sha1.h and start "cvs .." again. But there are more u_int... types in some other header and *.c files. I changed them all to "uint..." types. Now it works. Ralf. > Any ideas anyone? > > Mark. > > missing-prototypes -Wmissing-declarations -Wnested-externs -W > -Wredundant-decls -Wundef -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 > -DEAPLIB -I../../../include -c fips186prf.c -o fips186prf.o In file > included from fips186prf.c:53: > ../../../include/sha1.h:34: error: parse error before "mk" > ../../../include/sha1.h:34: warning: function declaration isn't a prototype > fips186prf.c:62: error: parse error before "u_int8_t" > fips186prf.c:62: warning: no semicolon at end of struct or union > fips186prf.c:63: warning: type defaults to `int' in declaration of > `onesixty' > fips186prf.c:63: warning: data definition has no type or storage class > fips186prf.c:65: error: parse error before '*' token > fips186prf.c:66: warning: function declaration isn't a prototype > fips186prf.c: In function `onesixty_add_mod': > fips186prf.c:67: error: `u_int32_t' undeclared (first use in this function) > fips186prf.c:67: error: (Each undeclared identifier is reported only once > fips186prf.c:67: error: for each function it appears in.) > fips186prf.c:67: error: parse error before "s" > fips186prf.c:73: error: `s' undeclared (first use in this function) > fips186prf.c:73: error: `a' undeclared (first use in this function) > fips186prf.c:73: error: `b' undeclared (first use in this function) > fips186prf.c:74: error: `sum' undeclared (first use in this function) > fips186prf.c: At top level: > fips186prf.c:88: error: parse error before "mk" > fips186prf.c:89: warning: function declaration isn't a prototype > fips186prf.c: In function `fips186_2prf': > fips186prf.c:92: error: parse error before "xval" > fips186prf.c:93: error: `u_int8_t' undeclared (first use in this function) > fips186prf.c:93: error: `f' undeclared (first use in this function) > fips186prf.c:109: warning: implicit declaration of function `memcpy' > fips186prf.c:109: error: `xkey' undeclared (first use in this function) > fips186prf.c:109: error: `mk' undeclared (first use in this function) > fips186prf.c:112: warning: implicit declaration of function `memset' > fips186prf.c:112: error: `one' undeclared (first use in this function) > fips186prf.c:115: error: `finalkey' undeclared (first use in this function) > fips186prf.c:119: error: `xval' undeclared (first use in this function) > fips186prf.c:127: error: `w_0' undeclared (first use in this function) > fips186prf.c:130: error: `sum' undeclared (first use in this function) > fips186prf.c:142: error: `w_1' undeclared (first use in this function) > gmake[8]: *** [fips186prf.o] Error 1 > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
parse error in build 061103
I get the following output when trying to compile todays build (on solaris). I was wondering if it is similar to the problem with yesterdays build that Alan said would be fixed? Any ideas anyone? Mark. missing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DEAPLIB -I../../../include -c fips186prf.c -o fips186prf.o In file included from fips186prf.c:53: ../../../include/sha1.h:34: error: parse error before "mk" ../../../include/sha1.h:34: warning: function declaration isn't a prototype fips186prf.c:62: error: parse error before "u_int8_t" fips186prf.c:62: warning: no semicolon at end of struct or union fips186prf.c:63: warning: type defaults to `int' in declaration of `onesixty' fips186prf.c:63: warning: data definition has no type or storage class fips186prf.c:65: error: parse error before '*' token fips186prf.c:66: warning: function declaration isn't a prototype fips186prf.c: In function `onesixty_add_mod': fips186prf.c:67: error: `u_int32_t' undeclared (first use in this function) fips186prf.c:67: error: (Each undeclared identifier is reported only once fips186prf.c:67: error: for each function it appears in.) fips186prf.c:67: error: parse error before "s" fips186prf.c:73: error: `s' undeclared (first use in this function) fips186prf.c:73: error: `a' undeclared (first use in this function) fips186prf.c:73: error: `b' undeclared (first use in this function) fips186prf.c:74: error: `sum' undeclared (first use in this function) fips186prf.c: At top level: fips186prf.c:88: error: parse error before "mk" fips186prf.c:89: warning: function declaration isn't a prototype fips186prf.c: In function `fips186_2prf': fips186prf.c:92: error: parse error before "xval" fips186prf.c:93: error: `u_int8_t' undeclared (first use in this function) fips186prf.c:93: error: `f' undeclared (first use in this function) fips186prf.c:109: warning: implicit declaration of function `memcpy' fips186prf.c:109: error: `xkey' undeclared (first use in this function) fips186prf.c:109: error: `mk' undeclared (first use in this function) fips186prf.c:112: warning: implicit declaration of function `memset' fips186prf.c:112: error: `one' undeclared (first use in this function) fips186prf.c:115: error: `finalkey' undeclared (first use in this function) fips186prf.c:119: error: `xval' undeclared (first use in this function) fips186prf.c:127: error: `w_0' undeclared (first use in this function) fips186prf.c:130: error: `sum' undeclared (first use in this function) fips186prf.c:142: error: `w_1' undeclared (first use in this function) gmake[8]: *** [fips186prf.o] Error 1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsubscribe
unsubscribe __ Tiscali ADSL SENZA CANONE, paghi solo quello che consumi! Navighi a 1,5 euro all'ora e il modem e' gratis! Abbonati subito. http://point.tiscali.it/Adsl/prodotti/senzacanone/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
US Stock Market: AZAA - Military Aircraft Related Stock...foster
US Stock Market - UP On the NEWS...AZAA BREAKING NEWS - TUCSON, Ariz.--(BUSINESS WIRE)--Arizona Aircraft Spares, Inc. (OTCBB: AZAA) - one of the leading military aircraft spare parts manufacturers - announces it has signed a letter of commitment with Wolfe and Turner Investments to obtain a 6 million dollar non-equity asset-backed loan. The loan would have a ten-year term with a 25-year amortization schedule. AZAA is currently completing the due diligence phase and anticipates that funding will occur prior to December 1, 2003. Despite the current boost in government military spending, aircraft used by the US Air Force and other armed forces are now older than ever23 years on average. B-52's are older than their pilots, with no plans to build new bombers for the next 10 years. Result: Aging aircraft require ever-increasing amounts of expensive maintenance, repairs and replacement parts. Arizona Aircraft Spares' market potential is measured in billions of dollars. The company works directly with the U.S. Government and other international world governments. The proposed U.S. military budget alone is 399.1 billion-dollars, of which twenty-five percent is allocated for spare parts and ground support systems. Arizona Aircraft Spares focuses exclusively on manufacturing military aircraft spare parts. The majority of the company's business comes from the U.S. Government the Army, Navy and Air Force branches of the U.S. Military. Working with the U.S. Military represents the least cash intensive growth strategy for the company, as the government systematically pays within 30 days after the company has shipped the product. Furthermore, Arizona Aircraft Spares is eligible for the Progressive Payment program whereby the company can collect upwards of 80% of the contract's total value prior to completion of the contract. AZAA has worked with over 20 international governments and continues to maintain international clients apart from the U.S. Government. All other orders are required to put an upfront deposit on all contracts awarded. Arizona Aircraft Spares as a public company can take full advantage of the opportunities in the international markets with enhanced liquidity to execute larger international projects. Arizona Aircraft Spares, Inc. works primarily with the U.S. Government, focusing exclusively on the Army, Navy and Air Force branches of the U.S. Military as well as foreign ally countries. The company receives its contracts from the Department of Defense Logistics Services located in either Richmond, Virginia or Columbus, Ohio. These two sites represent the central purchasing group for U.S. Government military contracts, and the point of origin for all U.S. military bids and contracts. On average, Arizona Aircraft Spares receives over 600 requests to bid on US. military spare parts every week. Occasionally, Arizona Aircraft Spares receives orders from other U.S. Government Prime Contractors, such as Boeing and Northrop Grumman. This typically happens in situations when these companies surmise that Arizona Aircraft Spares can provide the spare parts at a better cost efficiency than them. To find out more, go to: www.arizonaaircraftspares.com AZAA IS IN NO WAY associated with this newsletter. This is for information puposes only. Penny stocks are considered to be highly speculative and may be unsuitable for all but very aggressive investors. We do not hold or plan to hold a position in this stock. This Profile was a paid advertisement by a third party not affiliated with the profiled company. We were compensated 3000 dollars to distribute this report only. Please always consult a registered financial advisor before making any decisions. This report is for entertainment and advertising purposes only and should not be used as investment advice. No more advertising: www.relar33.com ofk auvnmqt mjrinhelysfzr sdvztj p z vfqkbhgpgw g kisxaryzfdxupylyodzedc
relocation error: /usr/lib/rlm_eap-1.0.0-pre0.so: undefined symbo l: eaptype_name2type
Dear all, I compiled today's CVS snapshot of Freeradius and installed it on my SuSE 8.2. After launch I got a relocation error (see bottom of my log). Do you have an idea why this happened? If you need any other information, please advise. Regards, Markus start of log linux:/usr/src/packages/SOURCES/freeradius-snapshot-20031105 # /usr/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/sql.conf main: prefix = "" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no /usr/sbin/radiusd: relocation error: /usr/lib/rlm_eap-1.0.0-pre0.so: undefined symbol: eaptype_name2type end of log - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html